Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Trailrunner7 writes with one perspective on the inability of the Congress to pass 'cybersecurity' legislation before recessing. From the article: "They've taken innumerable swings at it, and struck out every time, ... and, for once, we all should be thankful for our lawmakers' inability to act. ... What it's not good at is understanding the Internet or acting swiftly and decisively. The current cybersecurity legislation mess is the perfect combination of those two factors. Corporations and government agencies in the U.S. have been getting their heads handed to them by attackers from around the world for several years now. Long-term, persistent campaigns have been targeting defense contractors, energy and utility companies, manufacturing firms, and government agencies with an alarming rate of success. But Congress, or at least some members of it, don't seem to understand that. Sen. Joseph Lieberman sent a letter Monday to President Obama, comparing the threat to U.S. networks from foreign attackers to the threat from terrorists before 9/11. He then urged the president to use his executive authority to somehow influence the situation. Let's be clear: If the companies that own and operate critical infrastructure — not to mention defense contractors — don't understand the nature of the threat they're facing at this point, no amount of incentives will change that. Neither Congress nor the President can fix this problem with the kinds of solutions they're considering."
Reader CurseYouKhan links to a different perspective: "Chabinsky is the latest of several former Federal security types to issue warnings on the topic. Earlier this year, Shawn Henry, who recently retired as the Bureau’s top cyber-sleuth, also called for a more offense-minded approach. Ex-CIA director Michael Hayden thinks the private sector may not wait for the government to act. He expects to see the emergence of a 'digital Blackwater,' or the emergence of firms that could be hired to go all mercenary on online intruders."

That sounds like a particularly nasty mess right there, as most of the attacks originate from foreign soil.

Given the complications of anonymity, subterfuge, and just outright corruption that could complicate an e-mercenary squad, the implications of this sort of thing proliferating will be HUGE. I don't like the idea of the government getting involved where they aren't needed, but at least they are typically either amenable to openness (via the FOIA or similar), or they are large enough to have a whistleblower ecosystem pre-installed (e.g. Bradley Manning). A private third party, whose allegiance might literally even be to a foreign state, is a very scary thought.

That sounds like a particularly nasty mess right there, as most of the attacks originate from foreign soil.

Interestingly, I had that idea (offensive cyber security) about 5 years ago, but was told by the TLA I approached that implementing such a strategy would do nothing but earn me a long sentence in a federal prison...

Interestingly, I had that idea (offensive cyber security) about 5 years ago, but was told by the TLA I approached that implementing such a strategy would do nothing but earn me a long sentence in a federal prison...

As well it should.Security is one thing, chasing criminals is quite another.

Protecting your network does not include attacking others. Packets arriving on your router are in no way like bullets arriving on your front door.

What's needed is a fast, focused, obligitory repsonse from upstreams.Too often complaining about an attack, even when the source is a known single point, results in no action at all from your provider.

Be careful what you wish for. You might just get it.A packet is not a bullet. Don't equate the two metaphorically.

When you start giving people attack authorization in an effort to curb ping floods you are asking for the sametype of unfettered authority that big media used to go after Kim Dotcom. You will rue the day such aprovision became the law of the land.

The point is that big media used copyright laws to goad big government into taking world scale action, including armed response, arrest, seisure, all in response to a little phrase in the law about "defending their copyright".

Can you imagine what might happen if you gave an Electric Power utility the right to counter attack rather than simply taking their plant control systems off of the public network?

Can you assure me you can write legislation authorizing counter attacks that will never result in more loss of freedom, more abuse of authority? Can you assure me that If I write a blog complaining about brownouts and post a link to the Power Companies complaints page, that I won't have jack booted thugs arriving at my door step simply because other people went to that page and complained also? Can you write legislation that will not be stretched to point of labeling encryption a munition?

The issue here is infrastructure serving entire cities and states, not some web site that goes down meaning you have to drive to your bank rather than banking on line.A thousand bullets hitting the wall of a fortress does nothing. 50 million hitting the wall in the same place may make a little hole after awhile.

But the minute I unplug the router and take my oil refinery off the public network, all those "dangerous packets" go nowhere.Exxon does not need counter attack authority. Anyone thinking they do is a very dangerous person.

The point is that big media used copyright laws to goad big government into taking world scale action

Yes they did, and that is utterly unlike private companies taking action for virtual defense. There is nothing whatsoever similar about the two things. I'm not missing anything; you are confusing everything.

all in response to a little phrase in the law about "defending their copyright".

Defense of copyright is an abstract concept with a huge legal and regulatory structure built around it. What it is not at

You do know that the Internet doesn't guarantee the authenticity of source IP addresses, right? Among the dozens of other ways you can be misled about the source of something?

Not too smart to let your adversary control your targeting.

You do know that most "computer systems" are shared hosting, right?

I can't imagine a "team expert" doing very damn much good in most cases, but I can sure imagine a team cowboy doing a whole helluva lot of damage to disposable tentacles, and whole helluva lot of collateral dama

You do know that the Internet doesn't guarantee the authenticity of source IP addresses, right?

Presumably a "digital blackwater" would be able to double check before attacking.

You do know that most "computer systems" are shared hosting, right?

Yes, I also know that the shared hosting can impose processor and memory limits on slices so impact of attacking that share would not affect the other shares (unless you are talking about a reverse denial of service, which I am not).

Which is precisely the problem. If you are a corporation then US law prohibits you from striking back. So all you can do is play defense defense defense. You can harden your systems all you want but being a stationary and fallible target it's almost inevitable that you'll be compromised. It's too easy to compromise a system. And even if you identify the attackers it's unclear if the judicial system simply doesn't care or the government is the attacker. It's incredibly difficult to press charges ag

So all you can do is play defense defense defense. You can harden your systems all you want but being a stationary and fallible target it's almost inevitable that you'll be compromised. It's too easy to compromise a system

Maybe the " defense defense defense" approach is flawed also (or perhaps the way that people "play defense" is flawed). Perhaps you start by looking at what technologies have been compromised most frequently and you avoid those technologies.

That sounds like a particularly nasty mess right there, as most of the attacks originate from foreign soil.

This is terrible terrible news for the coffee shops of the world that offer free wifi.

Because if someone can break in, either the company broken into is completely incompetent at their own security, or the attacker is good enough to have the foresight required to not to launch an attack from their own network.

Uncle Sam already plays a heavy hand by defining standards that apply to software products that are sold to the US government. Ever hear of FIPS 140-2? The document that says exactly which encryption algorithms are allowed and not allowed? Both Microsoft and Linux vendors (RedHat, SuSE) have incorporated FIPS mode in their operating systems. Not surprisingly, these modes are generally turned off...

It doesn't. It mandates the use of FIPS 140-2 validated components when doing business with or for the Federal Gov't.

Most people wouldn't even know if it was turned on. All it really does is set a configuration where when you use crypto all that is available to choose from is 3DES and AES. And for hashes, SHA-1 or SHA-2 suite. You can't use MD5, Blowfish, DES, or some proprietary crap the vendor is trying to pawn off to lock you in.

And it must be a validated implementation. That is, you can't code up your own version of AES in Javascript and use that. Yes, OpenSSL has a validated version and that is the core module used by almost everyone in FOSS land.

I'm having a hard time understanding why, of all the things gov't mandates, picking on THAT one as a bad example.

I have lots of issues with FIPS 140-2. Number one on the list is the fact that the list does more to constrain algorithms than to guarantee a good algorithm will be used.
Number two... people are afraid to upgrade to a newer OpenSSL with security patches for fear of loosing their precious $50,000 validation.
I also have issues with the self-testing requirements. It's a waste of CPU time. Why make people wait an extra half-second every time they open a program that uses encryption?

I'm not sure I understand. By constraining algorithm choice to good algorithms it guarantees a good algorithm will be used. Are you saying that the SHA-2 suite and AES are not good algorithms?

The recent validation of OpenSSL FIPS Object Module 2.0 should address fear of patches. If it doesn't, then they are either dicking with the code themselves and are rightfully fearful, or don't understand the process.

As for self-testing requirements, wow. That explains the issue. That mentality right there is why secur

To ensure that the module itself hasn't been tampered with once it has been validated.

Verifying correctness of the algorithms and their implementation was the purpose of the lengthy NIST validation process.

After that, before each use, they're checking to make sure someone hasn't pulled a fast one and modified the code.

Ken Thompson's ACM classic Reflections on Trust [bell-labs.com] back in 1984 really laid this issue to bare. He was discussing compilers, and considering OpenSSL's validation is for source code and you can co

Yes, we must do SOMETHING! Dunno what, but SOMETHING! And don't anyone think of the children?

Seriously, though. What kind of "action" does the honorable senator expect from Obama? I dunno, it seems Obama isn't just seen as some kind of magic worker by some voters (akin to "we gotta get economy back on track, Obama, go an fix!"), it seems the honorable senator seems to have fallen for the same spell. Great wizard Obama, swing your magic wand and DO SOMETHING!

There is no legal solution for it, though. First of all, you can't just outlaw hacking. That's already the case, you know? What do you want? More severe punishment? Doesn't faze the guy in Iran, China or $whatever-stan who wants to blow up your power plant. The only thing that might accomplish is to quench "hacktivism" akin to Anonymous with the drawback that everyone who actually knows a thing or two about hacking will keep their mouth shut instead of actually informing the relevant authorities.

Require companies to tighten their security? Then we are where we are already: Where security is a topic for risk management, not for IT. How much does it cost to implement security? How much is the fine? How likely is it going to happen? Now you can either lower the fine to a ridiculous amount where no halfway large company takes it serious or jack it up to a level where doing online business becomes Russian roulette for smaller companies.

Because, and here's the actual problem, there is no such thing as perfect security. If everything else fails, your admin might double cross you.

Still, the ONLY place where you can put the lever is the target of attacks, not the source, since the source, as has been stated above, is often outside of your jurisdiction. But is putting the burden on the victim really the way to go? I kinda doubt it.

Bottom line, as long as people and companies have no interest in security, no law you could draft will change their attitude towards it.

If viruses are a big problem (high on people's value scale), then various companies will be happy to sell solutions, as far as feasible. I don't even know all possible solutions, since that is the point of creative entrepreneurship.
But some examples I can imagine: pick an ISP who quarantines infected computers, use VPN to create a virtual network of secure machines on an insecure network, build a more secure OS (see security design in modern mobile OSes, or isolation in modern browsers), use alternate net

If folks actually think government agencies and industry aren't well aware of the criticality of the security threats then they are living in a fantasy world. I can believe congress has that attitude. Those folks are literally 10 years or more behind the curve in IT technology. And this just sounds like another attempt at grabbing more control of the internet by fear mongering.

The threat of terrorist attacks before 9/11--I'll interpret that to mean "the impending threat leading up to 9/11"--is nothing. It's akin to the threat of getting hit by a meteor, or lightning. It'll happen -eventually-, for sure; there's always been terrorists, lightning, and meteors. Here's the thing: Terrorists hit shit with the planes because of dumb luck. They've been in and out and tried this stuff for decades, finally got one through, and haven't since. TSA is ineffective as hell, but locked c

The threat before 9/11 was well known, not only by our own people, but by other mid-east countries that tried to warn us, and even tried to hand over Bin Laden. Clinton was too busy getting BJs by Lewinsky to even worry about what everyone was telling him. After all, two previous bomb attempts on World Trade were merely petty criminals, right?

Means and methods were not discovered until after the fact, but they were there and these particular terrorists were already being watched. One was already in jail.

2 previous bomb attempts on the WTC, also the Oklahoma City Bombing, some other random crap from here or afar.

You make my point for me though. There was terrorism before 9/11. There is terrorism after 9/11. 9/11 wasn't special, it wasn't the beginning of a trend, it wasn't a new thing; it was the exercised probability that you'll get hit by lightning. Yeah, okay, maybe somebody dropped the ball; eventually somebody always drops the ball.

... for once, we all should be thankful for our lawmakers' inability to act...

Only once? While gov't does occasionally get things right, getting it wrong is hardly a rare instance.

Think about how often gov't gets it wrong with respect to tech issues. The truth is they get it wrong just as often in other domains as well. We merely don't understand those other domains so we don't see the problems, we read some news article and all we see is legislation with good intentions. I'm sure some non-techie is reading an article about gov't going to increase cybersecurity and is thinking "sounds like a good idea".

IMHO we in the U.S. are judging our politicians too often by their good intentions rather than their actual performance, and politicians have adapted to this environment accordingly. All they really care about is that they hold the "correct" stand on an issue, not actually accomplishing anything. Until we start voting out people because they supported well intended but poorly thought out legislation little will change.

I am constantly amazed at arguments in favor of whatever government action folks want that base their premise on the trustworthiness of government. Why does anyone think they can trust a government? Now I am certainly not an anarchist, however I take the same view of centralized government that the founders of the US took - powerful central governments will inevitably grow and be corrupted because they are comprised of humans who are imminently corruptible.

It amuses me to see folks distrust a corporation and turn to the government as if the people in a government job are somehow more moral or ethical than those in private sector. They are all made of the same human stuff, all just as corruptible - the only meaningful difference is that the humans in government wield the power of massive force to accomplish their goals.

The government has NO business getting involved with cyber security any more than they do getting involved with how I secure my house or car. The government sucks at doing things efficiently and using best practices - the examples are legion.

People need to take personal responsibility for their systems and decisions.

THE GOV'T DOES THIS. NIST 800-137 is all about "Continuous Monitoring" which means "set baseline configs, make sure they're followed". USGCB is used for Windows 7 and RHEL Desktops, and CIS commonly used for most everything else. (USGCB and CIS for Win7 are almost identical.)

Let me repeat that. CIS is frequently used as the config gold standard for Windows, Linux & Solaris servers as well as Cisco equipment. For the things CIS doesn't have, they use DISA STIGs, which are just as good but m

How you secure your house or car has little to no bearing on 990100% of your neighbors. How the electrical grid and power plant, sewer treatment system, municipal water system, natural gas pipelines and the like are totally different.

Damage to those can cause severe impacts to the community as a whole. The size of the community can vary depending on the system. For example your municipal water system could impact your city, whereas the power plant in your neighborhood could potentially bring down the entire

But just as when you locked door isn't enough, governmental police power should be available to apprehend the culpret, if nothing else than to prevent our heighborhoods from becoming running gun battles. This discussion is about allowing power company goons bash down your door in swat gear carying M16s because you 14 yearold hacker son was in the basement shutting down trubines with his iPad.

Just as local police serve as a (supposidly) impartial refferee between victim and perpetrator, there has to be

It amuses me to see folks distrust a corporation and turn to the government as if the people in a government job are somehow more moral or ethical than those in private sector.

You're not thinking it through. Look at the difference between CWLP and Amerin. Both are electrical monopolies in Illinois. CWLP is run by the city of Springfield, Amerin is a publically held company. CWLP has the lowest electric rates in the state, the least downtime, and the best customer service. Why? Because Amerin in not beholden

It seems like the first dude is worried about what attacks on the infrastructure could do, and he's right. There are already plenty of tools and best practises on securing yourself, more laws would only possibly ease the investigation when a breach happened (which is the reason anyone on the investigative side not making a buck out of it will call for new laws).

Now the scenario on a digital blackwater is not needed due to a lack of laws, rather the problem is that officials will not investigate most cases

I had a chance to see General (Specific) Hayden [eccentrici...gency.info] perform at the Geriatric Thugs & Podium Assassins RapFest. And let me tell you; once he got limbered up with some warm milk and a few raw pork sausages, he really got funky. After the show, he told us 'bout hackin' on his AOL account. Said some bitches wuz 'bout to get bussed up on the tubes, yo. When I asked him if the gubmint knew what I was doing on da web, he said "Don't make me go mercenary an ya ass." an' I knew homey weren't playin no games.

Let's not forget there are companies, including the ones being attacked and hacked, that may very well benefit one way or another from the current state of cyber security as well. They have their own agendas to promote that are in the best interest of the company, but not the country or its citizens.

If companies that went about gathering and/or storing sensitive information for others, then screw it up and allow that information into the wrong hands faced real liability for their failures perhaps more companies would do a better job of protecting their information. Or even better, some may opt to not gather/store the data in the first place.

I hope Congress is unable to pass cybersecurity legislation until its members understand the internet. The control systems for dams and power distribution can be disconnected from the internet; yet that's the prime scenario for scare stories about Chinese and Iranian hackers. After sufficient hype and scary publicity, laws are proposed to impose greater penalties on copyright violations and limit P2P file transfers in the name of cybersecurity. This happens OVER and OVER!

Passing a law does not make anything secure. What makes things secure is spending resources and time towards security.
Who should be spending those resources? The companies that are taking security risks and exposing attack areas.

Regarding incentives to do better, corporations already have them, as security attacks are PR nightmares which push consumers to competitors and losing money is bad business.
Congress on the other hand has incentives to over-estimate the risk and over-spend (since it's tax mone